What CEOs Should Know About Cybersecurity

If you are a typical CEO, a discussion about cybersecurity probably makes you a bit tense. It’s a deeply technical topic, the risks are varied and difficult to quantify, and there are many vendors and experts continuously beating the drum that you are not doing enough or that your organization may be open to catastrophic attack.

News headlines give no solace: Ransomware attacks on global hospital infrastructure systems, Yahoo revising its purchase price down $500 million to Verizon because of hacked accounts, or Zomato getting off lightly for compromising 6.6 million user accounts and passwords. And of course, there was the catastrophic attack on Sony Pictures in 2014.

As a founder and CTO of a large software company, managing sensitive data and creating corporate policy is a key part of my responsibility. I recently moderated a discussion about cybersecurity at the Young Jewish Professionals CEO group that included cybersecurity leaders, CEOs and members of the law enforcement community. Here is what experts think CEOs should know about cybersecurity:

Cybersecurity Is Now A Board-Level Issue, But The Fiscal Risks (In The U.S.) Are Still Low

Given the visibility and public disclosure required of cyberattack breaches, cybersecurity and enterprise readiness has become a board-level discussion. CEOs can no longer pretend it is just an IT issue. On corporate risk evaluations, cybersecurity comes right after local tax liability. As silly as that sounds, it clearly deserves dedicated attention.

The good news is that studies have shown that cyberattacks have little effect on long-term corporate value. The share prices typically recover within 12 months. The reason that Yahoo had to write down $500 million is simply that the timing of the cyberattack coincided with the acquisition. Timing can be costly, partly because there are few financial recourses for a breach.

If private data is compromised, individuals have to prove real harm for a fiscal penalty to apply, and it’s often too hard to make a conclusive case based on breached data. Laws in the EU are much more punitive, as breached data is often sold to hacker networks and the damage from the breach is real, but rarely traceable. In Europe, the new GDPR regulations can collect fines up to €20 million or 4% annual global turnover — whichever is greater, forcing firms operating in Europe to be much more stringent about security.

Cyberattacks Should Be Approached As A Matter Of When, Not If

Put yourself in the mindset that you will be attacked. You are probably being probed for vulnerabilities as I type this. An unprotected Windows machine hooked up to the internet wcan be compromised in seconds. This is not personal; hackers cast a wide net looking for open targets. That’s why so many cybersecurity solutions invest in prevention. But the reality is that if you have a valuable asset (data, transactions, money) and you are targeted, hackers can get in. The question is a matter what type of damage will they be able to do.

Policies Must Be Put In Place To Mitigate Damage After Breach

On average, the lag time between a breach and discovery is 200 days, and from discovery to mitigation is 60 days. Even worse, those numbers are going up. That gives hackers ample time to freely spread within your infrastructure. Your security team should not have a 9-to-5 mentality: Hackers can specifically target Friday night attacks so they have the full weekend to get what they need. Security should be a 24/7 effort, just like physical security.

An action plan should be clearly formulated well ahead of any breach. Once the threat is detected, it’s time to act urgently, not ask questions of who to call and what to do. There are a variety of third-party services that can help augment internal processes, but these should be properly tested before an event and it must be clear that the responsibility for detection should still be internal and shared.

System Firewalls And External Protection Are Just 25% Of Threat Mitigation

Only about 25% of attacks are so-called zero-day attacks, unpatched core-system-level vulnerabilities like the recent ransomware attacks. Seventy-five percent of successful breaches come from employees compromising the system behind all the protections put in place. Training and corporate policy governance are key. Great companies make this part of the culture, where everyone is part of the effort to protect the organization.

Implement A More Holistic Cyber-Security Service Approach

Services, not just products, are a key part of a holistic approach. Many cybersecurity product vendors install with out-of-the-box configurations that don’t reflect the complexity of your network and thus leave open vulnerabilities. Third-party audits and service consulting should accompany any implementation. There are many services worth exploring, including cyberattack insurance to cover catastrophic costs like in the Sony attack, breach escalation services that can augment internal resources, and more.

Treat Cybercrime Like Regular Crime

One of the most passionate pleas from the cybersecurity vendors is for CEOs and law enforcement officials to treat cybercrime like regular physical crime. We have digitized documents, commerce and media to make them faster, cheaper and better, and criminals have done the same with crime. In fact, ransomware attacks are up 8x year over year and are now a billion dollar market.

A CEO wouldn’t hide a physical break-in or assault, and you shouldn’t hide a cybercrime either. Not only should CEOs engage law enforcement in similar ways, but they should also be lobbying the government to invest more in counter-cyberterrorism and revisit their policies in stockpiling and securing cyber weapons, like the ones that leaked from the CIA and are being used as ransomware in medical facilities around the world.

No one expects you to be a cybersecurity expert. However, boards do expect awareness, diligence and that cybersecurity risks are actively understood and mitigated. By preparing the organization and yourself for cyberattacks, you become a more bulletproof CEO if a cyberattack is, in fact, successful.